{"id":2241,"date":"2011-05-10T14:05:11","date_gmt":"2011-05-10T19:05:11","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=2241"},"modified":"2013-09-30T09:57:53","modified_gmt":"2013-09-30T14:57:53","slug":"saml-2","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=2241","title":{"rendered":"SAML"},"content":{"rendered":"

Overview<\/h2><\/span>\n

What is SAML<\/h3><\/span>\n

* SAML stands for Security Assertion Markup Language
\n* Is an XML based standard maintained by OASIS<\/a>
\n* SAML 1.0 approved in 2002
\n* SAML 2.0 approved in 2005<\/p>\n

SAML 2 New Features<\/h3><\/span>\n

* Authentication request protocol: flow starts at the SP who issues an explicit authentication request to IdP. <\/p>\n

What SAML Provides<\/h3><\/span>\n

* Provides single sign-on (SSO) solution in a cross domain environment
\n* Defines a framework for exchanging authentication\/authorization information across domains in the form of assertions instead of<\/em> tokens
\n* Defines a language for
\n– expressing assertions
\n– protocols for requesting and obtaining assertions from SAML authorities
\n– bindings for mapping SAML onto messaging and transport protocols<\/p>\n

Asserting Party<\/h3><\/span>\n

* aka SAML authorities
\n* The system, or administrative domain, that asserts information about a subject.
\n* Example:
\nThis user is JohnDoe, he has an email address of john.doe@acompany.com, and he was authenticated into this system using a password mechanism.<\/p>\n

Relying Party<\/h3><\/span>\n

* The system, or administrative domain, that relies on information supplied to it by the asserting party.<\/p>\n

Addressed Issues<\/h3><\/span>\n

* Limitations of browser cookies
\n* SSO interop
\n* Web services<\/p>\n

SAML Architecture<\/h2><\/span>\n
\"\"<\/a><\/h6><\/span>\n

Assertions<\/h3><\/span>\n

* Assertion is a claim, statement, or declaration of a fact made by a SAML authority
\n* There are three types of assertions:
\n– Authentication assertion: the subject is authenticated<\/p>\n

\r\n   \r\n     \r\n       \r\n         urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\r\n       <\/saml:AuthnContextClassRef>\r\n     <\/saml:AuthnContext>\r\n   <\/saml:AuthnStatement>\r\n<\/pre>\n
– Authorization assertion: the subject is authorized to access a particular resource<\/p>\n
\r\n\r\n  Resource=\"http:\/\/CarRentalInc.com\/doit.cgi\"\r\n  Decision=\"Permit\">\r\n  Execute<\/saml:Action>\r\n<\/saml:AuthzDecisionStatement>\r\n<\/pre>\n
– Attribute assertion: the subject is associated with the supplied attribute<\/p>\n
\r\n\r\n  \r\n    Paid<\/saml:AttributeValue>\r\n  <\/saml:Attribute>\r\n<\/saml:AttributeStatement>\r\n<\/pre>\n
Protocol<\/h3><\/span>\n
* SAML defines a request\/response protocol for obtaining assertions.<\/p>\n
Bindings<\/h3><\/span>\n
* Details exactly how the SAML protocol maps onto transport and messaging protocols.
\n* Examples: SOAP over HTTP binding.<\/p>\n
\"\"<\/a><\/h6><\/span>\n
* Request example:<\/p>\n
\"\"<\/a><\/h6><\/span>\n
* Response example2:<\/p>\n
\"\"<\/a><\/h6><\/span>\n
\"\"<\/a><\/h6><\/span>\n
Profiles<\/h3><\/span>\n
* Technical descriptions of particular flows of assertions and protocol messages that define how SAML can be used for a particular purpose.
\n* Derived from use cases.
\n* SAML 1.1 defines two profiles:
\n– Browser\/Artifact Profile: A reference is sent to relying party which is used by relying party to pull assertion from Assertion Party.
\n– Browser\/POST Profile: An assertion is POSTed directory to relying party.<\/p>\n
Browser\/Artifact Profile: Source-Site-First Processing<\/h4><\/span>\n
Traditional Single Sign-On Solutions<\/h3><\/span>\n
* Trusted tickets
\n* Synchronized credentials
\n* Pseudonym services<\/p>\n
SAML Components<\/h2><\/span>\n
* Credential collector: collects user credentials
\n* Session authority: maintains session state
\n* Authentication authority: produces authentication assertions
\n* Attribute authority: produces attribute assertions
\n* Attribute repository: to store attribute assertions<\/p>\n
Common Elements<\/h3><\/span>\n
* Issuer
\n* ds:Signature: issuer signed signature
\n* Subject: to which assertions apply
\n* Conditions: must be evaluated before using assertions
\n* Advice: additional info to assist processing of assertions<\/p>\n
Assertion Statements<\/h3><\/span>\n
Assertion contains 0..* of
\n* AuthnStatement: authentication statement
\n* AuthzDecisionStatement: authorization statement
\n* AttributeStatement: attribute statement
\n* Statement: custom statement<\/p>\n
EncryptedAssertion Element<\/h3><\/span>\n
* xenc:EncryptedData
\n* xenc:EncryptedKey<\/p>\n
Example<\/h3><\/span>\n
\r\n\r\n  http:\/\/authority.example.com\/<\/saml:Issuer>\r\n  ...<\/ds:Signature>\r\n  \r\n    \r\n    jygH5F90l\r\n    <\/saml:NameID>\r\n   <\/saml:Subject>\r\n   \r\n     \r\n       \r\n         urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\r\n       <\/saml:AuthnContextClassRef>\r\n     <\/saml:AuthnContext>\r\n   <\/saml:AuthnStatement>\r\n <\/saml:Assertion>\r\n<\/pre>\n
Example<\/h3><\/span>\n
\r\n\r\n\r\n \r\n   \r\n     \r\n       \r\n        \r\n           \r\n               \r\n           <\/saml:Subject>\r\n       <\/saml:AuthenticationStatement>\r\n       ...\r\n     <\/saml:Assertion>\r\n   <\/Security>\r\n   ...\r\n <\/S11:Header>\r\n \r\n     ...\r\n <\/S11:Body>\r\n<\/S11:Envelope>\r\n<\/pre>\n
SAML Implementations<\/h2><\/span>\n
* ADFS
\n* WebLogic
\n* SAML Open Source Implementations<\/a>
\n– Shibboleth<\/a><\/p>\n
References<\/h2><\/span>\n
* SAML Wiki<\/a>
\n* Security Assertion Markup Language(SAML) V2.0 Technical Overview<\/a>
\n* SAML Spec<\/a>
\n* SAML 2: The Building Blocks of Federated Identity<\/a>
\n* http:\/\/www.cs.ucsb.edu\/~bultan\/courses\/595-W06\/SAML.pdf<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Overview What is SAML * SAML stands for Security Assertion Markup Language * Is an XML based standard maintained by OASIS * SAML 1.0 approved in 2002 * SAML 2.0 approved in 2005 SAML 2 New Features * Authentication request … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[119],"tags":[],"class_list":["post-2241","post","type-post","status-publish","format-standard","hentry","category-saml"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-A9","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/2241","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2241"}],"version-history":[{"count":18,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/2241\/revisions"}],"predecessor-version":[{"id":8944,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/2241\/revisions\/8944"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2241"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2241"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2241"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}